CVE-2025-49844: Critical Vulnerability in lfprojects Redis

CVE-2025-49844 is a critical vulnerability affecting Redis, an open-source in-memory database with disk persistence. The severity level is rated at 9.9 on the CVSS scale, indicating the potential for serious impact. This vulnerability allows an authenticated user to exploit a specially crafted Lua script, manipulating the garbage collector and triggering a use-after-free condition, which can lead to remote code execution. The urgency for defenders is high, as this vulnerability presents significant risks.

Organizations should prioritize patching immediately. The issue affects all versions of Redis with Lua scripting and has been fixed in version 8.2.2. Organizations that use affected versions should assess their exposure and take necessary actions to mitigate the risks.

The vulnerability is actively exploitable, with known exploits available, increasing the urgency for organizations to address this issue. Notably, this vulnerability has garnered attention due to its potential impact on the confidentiality, integrity, and availability of systems relying on Redis.

Organizations using Redis can implement access control lists (ACLs) to restrict the execution of Lua scripts as a temporary workaround until they can apply the necessary updates.

Vulnerability Details

The official CVE description states that Redis versions 8.2.1 and below allow an authenticated user to execute crafted Lua scripts that manipulate the garbage collector, leading to a use-after-free vulnerability. The vulnerability is classified under CWE-416, representing a significant security concern. The issue is effectively mitigated in Redis version 8.2.2, which should be adopted by all users.

Technical Analysis

The root cause of this vulnerability is related to the handling of Lua scripts within Redis. Attackers can exploit this weakness by sending specially crafted scripts that manipulate memory management processes, particularly the garbage collector. The attack vector is network-based, and the complexity is low since it requires only low privileges to execute the malicious scripts. Notably, no user interaction is required for the exploitation to occur.

The vulnerability has a high impact on confidentiality, integrity, and availability, making it a critical concern for organizations utilizing Redis. Attackers leveraging this vulnerability could gain unauthorized access to sensitive data or disrupt normal operations.

Risk & Impact Analysis

The risk to organizations includes potential unauthorized access to sensitive information and disruption of services. The blast radius for this vulnerability is significant, especially in environments where Redis is used for critical data storage or processing. Given the CVSS score of 9.9, the urgency for remediation is critical, and organizations must act swiftly to mitigate risks associated with this vulnerability.

Exploitation Status

Affected Versions

Affected versions include Redis versions 8.2.1 and below, as well as various versions of the Valkey component. Specifically, versions prior to 8.2.2 are vulnerable. Organizations should upgrade to version 8.2.2 or later to mitigate this vulnerability.

Mitigation & Remediation

CVE-2025-49844 represents a serious risk for Redis users, highlighting the importance of secure coding practices in application development. Security teams should review their Lua script usage and ensure appropriate safeguards are in place. For more insights on mitigating vulnerabilities and enhancing security posture, organizations may consider engaging with our red teaming services to identify and remediate security weaknesses.

Additionally, organizations may find value in our application security assessments to evaluate their defenses against similar threats.

By proactively addressing vulnerabilities like CVE-2025-49844, organizations can strengthen their security frameworks and minimize the attack surface.